Ruby Insecure Http Requests
Description
Identifies insecure HTTP requests in Ruby applications that use HTTParty or rest-client libraries. The vulnerability occurs when applications make HTTP (non-HTTPS) requests, which transmit data in plaintext and are susceptible to man-in-the-middle attacks, data tampering, and credential theft.
Detection Strategy
• Check if the application imports HTTParty or rest-client libraries
• Look for HTTP request method calls (get, post, put, patch, delete, head, options) made through HTTParty or RestClient objects
• Examine the URL parameter in these HTTP requests to identify if it uses an insecure 'http://' scheme instead of 'https://'
• Report a vulnerability when an HTTP request is made using an insecure URL scheme
Vulnerable code example
require 'httparty'
def unsafe_request
# Vulnerable: Uses non-HTTPS URL for data transfer
response = HTTParty.get('http://example.com', format: :plain)
JSON.parse(response)
end✅ Secure code example
require 'httparty'
def safe_request
# Safe: Uses HTTPS URL to ensure encrypted data transfer
response = HTTParty.get('https://example.com', format: :plain)
JSON.parse(response)
endSearch for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.